Logo
Hamburger Menu Icon
Yoroi Background

Nuova Campagna di Attacco Ursnif

02/18/2020

Proto: N040220.

Con la presente Yoroi desidera informarLa ad un nuova campagna di attacco in corso ai danni di Aziende e utenti italiani. Gli attacchi si manifestano attraverso l’invio di email fraudolente a tema legale che invitano le vittime a scaricare e visionare li contenuto di un archivio compresso infetto.

L’archivio, una volta aperto, è potenzialmente in grado di compromettere la macchina bersaglio installando malware della famiglia Ursnif (TH-196), capace di intercettare digitazioni utente, sessioni web attive, fornire accesso backdoor e scaricare ulteriore malware.  

In particolare, la variante Ursnif propagata durante la campagna risulta digitalmente firmata da una compagnia Slovena. Tale circostanza può aumentare e probabilità di successo dell’attacco.  

Di seguito si riportano gli indicatori di compromissione estratti durante le analisi condotte:

  • Dropurl:
    • hxxp:// tohomeroom[.com/nzklk?epmed=36938
    • hxxp:// tohomeroom[.com/pagkit56.php
    • tohomeroom[.com
    • trapperhackett.[info
    • maydaytheconception[.com
    • conceptionmayday[.com
    • transformativeui[.com
    • reparms[.com
    • waldosexton.[org
    • chentowin[.com
    • ligaluff[.com
    • lovebreads[.com
    • wytextransportation[.com
    • scadaoasis[.com
    • waterminds.info
    • audreysfeedvb[.com
    • bonehogs[.com
    • samtripsoncartel[.com
    • republicarmsmfg[.com
    • thelovebread[.com
    • litaandcody[.com
    • adultemojiapps[.com
    • californiapiexam[.com
    • fidtrans[.com
    • fireontheconception[.com
    • diablodawg[.com
    • divelogconception[.com
    • transformativesi.[org
    • tororevolution[.com
    • thepenisinmymouth[.com
    • fidelityresources.[co
    • conceptiontragedy[.com
    • fluentintegration[.com
    • samscartel[.com
    • holyfrijoli[.com
    • tahcocorp[.com
    • totalcleaningservicevero[.com
    • talesofwaldo[.com
    • blackplague1904[.com
    • murderontheconception[.com
    • brightseedbreads[.com
    • blueoceanmngt[.com
    • divemasterconception[.com
    • zvrtransportation[.com
    • celebprayercandles[.com
    • adultemojiapp[.com
    • fidelityresources[.org
    • radiantbread[.com
    • hibenjee[.com
    • mysmartgaydads[.com
    • codyfaeth[.com
    • arturoproctor[.com
    • marilurice[.com
    • republicarmsmanufacturing[.com
    • mexicons[.com
    • republicarmsoftexas[.com
    • saveourshoresirc[.com
    • saintcelebrity[.com
    • luffem[.com
    • onthedotservices[.com
    • ligafut7[.com
    • saintcandle[.com
    • fidelitytrans[.com
    • waldosexton[.com
    • vigilanteinvestigations[.com
    • brightseedfoods[.com
    • omniprojector[.com
    • disgruntledoverlanding[.com
    • fidelityresources[.net
    • saintscandles[.com
    • drinkfreetea[.com
    • wytextrans[.com
    • saveourshoresfl[.com
    • h2oscada[.com
    • texastacticool[.com
    • telemetrysolved[.com
    • trapperhackett[.com
    • brightseedbread[.com
    • bone-hog[.com
    • diverslogconception[.com
    • mywatersolved[.com
    • waterautomated[.com
    • artproctor[.com
    • processemogi[.com
    • maydayconception[.com
    • process-emogi[.com
    • brightseedbakery[.com
    • celebcandle[.com
    • waterautomated[.info
    • bloombread[.com
    • seyoso[.com
    • funnysaintcandles[.com
    • waterminds.[org
    • superfoodbread[.com
    • saintceleb[.com
    • eurothrash[.com
    • waldosgarden[.com
    • bonehog[.com
    • liveaboardtheconception[.com
    • tah-co[.com
    • waterautomated[.net
    • agenciaemdigital[.com
    • ourwatersolved[.com
    • patukulo[.com
    • blackplague04[.com
    • thetwigshop[.com
    • threadsboutiquevb[.com
    • saintscandle[.com
    • allodchurch[.com
    • zvrtrans[.com
    • licketysplitapps[.com
    • saveourshoresfl.org
    • superfoodbreads[.com
    • fidelityresources[.com
    • allodchurch.[org
    • laperrerax[.com
    • bonehogging[.com
    • diveaboardtheconception[.com
    • tohomeroom[.com
    • celebritysaint[.com
    • waterdefended[.com
    • charlotteanabardesigns[.com
    • fidelityresources[.info
    • thespacemarine[.com
    • strand-jewelry[.com
    • robertdtripsoninc[.com
    • app-angels[.com
    • tragedyontheconception[.com
    • decoartsinc[.com
    • fluentfilter[.com
    • waterintegrated[.com
    • audreysfeedandtack[.com
    • harmonybread[.com
    • hiopal[.com
    • waterautomated[.org
    • waterminds.[net
    • emojihunter[.com
    • telemetrydesign[.com
    • trapperhackett[.org
    • trapperhackett.[net
    • mysmartfoodie[.com
    • homycons[.com
    • mysmartgaydad[.com
    • wastewatersolved.net
    • ligafut7fem[.com
    • logicfluent[.com
    • adult-emoji[.com
    • codyandlita[.com
    • lockedintheconception[.com
    • waldosbontanicals[.com
    • mysmarttravelcard[.com
    • diveboatconception[.com
    • spacegrunt[.com
    • transformativescada[.com
  • C2 (ursnif): 
    • hxxps:// dungdoptiop.[xyz/index.htm
    • dungdoptiop[.xyz
    • 45.140.169[.211
    • hxxps:// banksesiqueira[.xyz/index.htm
    • banksesiqueira[.xyz
    • 85.117.235[.128
    • hxxps://stilthousebeer[.xyz/index.htm
    • stilthousebeer.[xyz
    • 46.17.47.[64
    • hxxps:// mandyenando[.xyz/index.htm
    • mandyenando.[xyz
    • 46.29.165.[185
  • Hash:
    • b76d3577574376f396f68d1922f070294d8428b0a371b217685342d2b7ea8bbb
    • 7867ef48cf88bd6f3ec0f1c811623f90fb272aef5376bef616bc1946d3c0da99
    • ca5e3aff7883a9c5da05afaa8cb659405ec1a3311e53a3a43e108821771475cb
    • 58521aa8e453b460e7db7e82dc81556e1742bf7105a7838d23b694ac0c183a75

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram